Monitoring and control of a handling device

ABSTRACT

The present invention relates to a monitoring and control device for monitoring a technical system having at least one portable and/or mobile and/or immobile device, and more specifically, a handling device that is a arranged in a protective device, and further including at least one preferably central or decentralized control unit and actuators connected thereto to carry out dangerous actions.

BACKGROUND OF THE INVENTION

The invention relates to a monitoring and control device for monitoringa technical system comprising at least one portable and/or mobile and/orimmobile device, particularly a handling device that is arranged in aprotective device, comprising at least one preferably central and/ordecentralized control unit as well as actuators connected to it to carryout dangerous actions.

Furthermore, the invention concerns a method for the safety-relatedmonitoring of at least one axis of a drive unit, which in particular ismeant to monitor a technical system with at least one portable and/ormobile and/or immobile device with enhanced safety requirements,particularly a handling device that is arranged in a protective device,comprising at least one preferably central and/or decentralized controlunit as well as actuators connected to it to carry out dangerousactions.

The invention also relates to a mechanism for the safety-relatedmonitoring of an axis of a technical system powered by a drive unit,comprising an actual status value transmitter that is coupled with theaxis, with the transmitter being connected to a two-channel drivecontrol mechanism for evaluation purposes.

Finally, the invention concerns a method for monitoring the speed of aspecific point of a handling device that can be moved, preferably of arobot flange or a tool center point (TCP) of a technical system,particularly of a handling device.

In order to design a handling device in such a way that it can beoperated in the vicinity of people as well, DE 39 02 247 A1 suggestsdesigning the actual value transmitter for status acknowledgements andcontrol elements in a redundant fashion and providing a monitoring andsafety circuit that is activated when signal deviations occur betweenthe redundant pick-ups.

The monitoring and safety circuit responds to signal deviations betweenthe redundant actual value transmitters; however, external safetyprecautions are not incorporated in the evaluation. Familiar monitoringand safety circuits also do not provide for the circuit to be able toactively intervene in the process of movements of the handling device.

From DE 296 20 592 U1 we know of a device for the safety-relatedmonitoring of a machine axis that is equipped with a separate processorand actual value recording system as well as an error discovery systemthrough signal comparison testing and compulsory dynamization. Thedevice is equipped with two separate actual value recording systems,which direct their respective actual values to separate processors. Theprocessors compare the actual values with the upper and lower limits.

From the state of the art, we know that for the monitoring andcontrolling of a braking device for driving mechanisms of a handlingdevice an operator—in the case of a closed braking device—feeds electriccurrent to a driving mechanism to generate a torque and checks visuallywhether the driving mechanism moves even in the case of a closed brakingdevice. This procedure is not precise and must be conducted separatelyfor each axis.

From the state of the art, we also do not know yet how to monitor theprocess of movement of a defined point in the Cartesian space withregard to position and speed.

The invention at issue faces, among other things, the problem of makinga safety circuit available for the monitoring of processes of movementsof a technical system that can be used in a flexible manner and enhancesthe safety of the technical system.

Furthermore, the invention is based on the problem of further developinga method and a device for the safety-related monitoring of an axis witha drive unit in such a way that the realization of a single-channelactual value recording sensory mechanism for enhanced safety-relatedrequirements is made possible.

Additionally, the invention is based on the problem of furtherdeveloping a method for controlling and monitoring a braking device insuch a way that automatic monitoring or verification is enabled in asimple manner.

SUMMARY OF THE INVENTION

The invention is also based on the problem of monitoring the process ofmovement of a defined point of a device of the technical system in theCartesian space.

In order to resolve the primary problem, it is being suggested

to connect the monitoring and control device with sensors and/oractuators, evaluating, processing and controlling their respectivestatus,

to connect the monitoring and control device with the control unit andhave it transmit—in accordance with the status of the sensors and/oractuators—at least one release signal to the control unit in order toenable at least one operation in the technical system,

to have the monitoring and control device monitor the execution of thisat least one operation and

to create another signal in case of errors, moving the system into asafe status.

The monitoring and control device is designed in such a way that it canadditionally be integrated into commercially available central and/ordecentralized numerical controls in order to monitor dangerousoperations of a technical system, particularly three dimensionaldangerous movements, in a safety-related manner or manner that protectsthe operator(s). In case of a defective execution of the operations, asignal is generated to transfer the system into a safe condition.

The monitoring and control device is equipped with input and outputlevels, to which the sensors and/or actuators are connected.Additionally, interfaces are provided in order to possibly connect themonitoring and control device with the existing central control unit viaa bus.

In a preferred version, the monitoring and control device is connectedto a robot control mechanism. The design ensures that the at least oneactuator and/or the at least one sensor is designed as a safety devicethat transfers the technical system into the safe status. In particular,the actuator is designed as a drive unit with appropriate drive controlsor as a contactor that connects the technical system or the drivecontrols with energy.

When all actuators and/or sensors are in a condition that agrees withthe safety requirements, the release signal of the monitoring andcontrol device triggers an operation such as a process of movement,which is monitored by the control and monitoring device preferably bycomparing it with stored and/or specified values such as executionand/or function and/or plausibility specifications or processes ofmovements.

In order to be able to use the monitoring and control device in aflexible manner, the invention provides for the control unit to beconnected to the at least one actuator and/or sensor and the monitoringand control device via at least one data circuit, preferably a serialbus line. In particular, the control unit and the monitoring and controldevice are physically designed as separate devices.

In order to ensure safe monitoring of the processes of movements, theinvention's design is such that the control unit continuously or oncetransmits a target status value signal to the at least one connecteddrive control and/or to the monitoring and control device as well asactual status value signals from the at least one drive control to thecontrol unit, preferably both to the control unit and to the monitoringand control device, that the actual status value signals of every drivecontrol are compared to the drive-specific values and/or value rangesthat are stored in the monitoring and control device and transmitted bythe control unit and that when the respective value and/or value rangeis left another signal is generated.

In order to achieve as high an error safety rate as possible, the drivecontrols and the monitoring and control device, respectively, areequipped with at least two channels in a redundant design, with thechannels being connected to each other via the bus line CAN_A andanother bus line CAN_B, with control signals and/or actual valueinformation being transmitted via the bus line CAN_A and actual valueinformation via the bus line CAN_B. For the evaluation ofelectromechanical safety switches or similar sensors and for theaddressing of external switching devices or actuators, the monitoringand control device is equipped with a two-channel output and inputlevel, with at least two more bus connections being provided for inorder to be able to connect the monitoring and control device with ahigher-ranking safety bus.

In a preferred version, the actual status values transmitted from thedrive controls are declared with an identifier, with an interrupt beingtriggered in each microcontroller of the monitoring and control deviceupon receipt of this identifier and the actual status values being readwithin a time interval. Additionally, each value and/or value range isassigned at least one safety-related output and/or input of themonitoring and control device, with the outputs and/or inputs beingconnected to passive and/or active switch elements such aselectromechanical safety switches and/or contactors and a relay.

In order to perform service work and to initialize the technical system,the central control unit transmits target status value information tostart up defined positions such as SAFE position, SYNC position to thedrive units and the monitoring and control device, with the definedpositions being assigned drive-specific values that are transmitted tothe monitoring and control device and compared with the measured actualstatus values of the drive units.

According to the invention, the technical system is not equipped withany hardware limit switches such as cams, but rather with axis-specific“electronic cams.” In particular, a variety of value ranges is definedwith regard to one drive unit or one drive axis, with this unit or axisbeing monitored by the monitoring and control device in a drive-specificmanner, and with each value and/or value range being assigned one ormore outputs of the monitoring and control device. The values and/orvalue ranges can be programmed in an axis-specific manner. Whenexceeding a status value range, one or more outputs of the monitoringand control device are set so that the technical system can be turnedoff.

In the method for safety-related monitoring of at least one axis of adrive unit, the problem is resolved in the invention by recording andevaluating an actual status value signal of the at least one axis, withthe actual status value signal being formed by two periodic signals thatare phase-displaced towards each other, with the sum of the powers ofthe respective amplitude of the signals being formed and compared to avalue within a value range, and with an error signal being generated ifthe sum is not within the specified value range.

The method with enhanced safety provides for the actual status valuesignal of the at least one axis to be recorded in a single-channelmanner and evaluated in a two-channel manner, with the actual statusvalue signal being formed by two periodic signals that arephase-displaced towards each other, for the sum of the amplitude squaresto be formed in each channel and compared to a constant value or a valuewithin the value range, for an error signal to be generated if the sumdoes not correspond to the specified value or is not within the valuerange, and for the actual status value signal to be fed to the othertwo-channel monitoring and control device, which compares the sums ofamplitudes squares formed in each channel of the drive control with eachother and/or with the constant value or the value within the valuerange.

Preferably, the actual status value signal is composed of a sine- and acos-signal, with a plausibility check of the actual value signals beingconducted in each channel, thus checking whether the sum of the squaresof the output amplitudes at every scanning point of time corresponds toa specified value x, with x being within the range 0.9≦×≦1.1, preferablyx=1=(sin φ)²+(cos φ)².

As an error-avoiding and/or error-controlling measure, the inventionprovides for a directional signal of a target speed or status value tobe generated and compared to a directional signal of the actual speed orstatus value in a single-channel or two-channel manner and for thevalues generated in a single-channel or two-channel manner to be fed tothe monitoring and control device and compared to each other there.

Furthermore, the invention provides for an internal cross-comparison ofthe recorded actual values to be conducted between the channels,preferable between the micro-computers, and for a pulse-block to betriggered in case of an error.

When the usual energy supply is lacking for the drive units (power downmode), a standstill monitoring process is conducted, with the actualvalues being monitored in each channel and a “marker,” which istransferred into the monitoring and control device when the usual energysupply sources have been turned back on and compared to the storedtarget values, being set when the actual values change beyond the settolerance limit.

In the arrangement for the safety-related monitoring of an axis of atechnical system that is driven by a drive unit, comprising an actualstatus value transmitter that is coupled with the axis and connected tothe two-channel drive control for evaluation purposes, the problem isresolved by providing a design in which the actual status valuetransmitter is a single-channel item and has at least two outputs wheretwo periodic signals that are phase-displaced towards each other can bepicked up when the axis turns, in which the outputs are connected to onechannel of the drive control, respectively, and in which the individualchannels of the drive control are connected on the one hand with ahigher-ranking central or decentralized control unit and on the otherhand with a two-channel monitoring and control device in order to beable to compare the received actual value signals.

When the drive unit of a driving mechanism does not permit time valuerecording, the invention provides for a design in which the two-channeldrive control, which is connected to the actual status valuetransmitter, is located as an integral part of the monitoring andcontrol device or as self-contained unit independently from the driveunit in front of the device. In this case, the monitoring and controldevice can also be equipped with the drive control for actual valuerecording purposes. Of course the device for actual value recording canalso be located in front of the monitoring and control device as aseparate unit.

In a beneficial version, the actual value transmitter has the design ofa resolver with two analog outputs for the actual value signals and aninput for a reference signal, with the outputs, respectively, beingconnected to a channel of the drive control via an analog-to-digitalconverter and with the input for the reference signal being connected toa reference generator, which in turn is connected to the regulating unitof a channel via a control unit.

For control purposes of the actual value recording process, theanalog-to-digital converter of the second channel is connected to aninterrupt input of the signal processor via a first connection, and theanalog-to-digital converter of the first channel is connected via asecond connection with an input of a driver component, whose output isconnected to an interrupt control unit of the microcontroller. The timebetween two received interrupt signals (EOC) is measured and a stopsignal is then triggered if no interrupt signal (EOC) is detected withina certain time frame. A pulse block is also generated when the referencefrequency deviates from a frequency standard.

In order to be able to control the error of a mechanical division for asingle-channel drive and transmitter shaft of the resolver, theinvention provides for the drive unit to be an electric drive systemthat is fed as an intermediate circuit, preferably as an AC servomotor.

In a method for controlling and monitoring a braking device with anominal torque or moment (M_(NOM)) that is allocated to a drive unit ofa technical system such as a handling device, automaticmonitoring/verification is enabled by measuring and storing a brakingcurrent (C_(B)) of the drive unit that corresponds to a braking momentwhen the braking device is opened, by feeding the drive unit with anaxis-specific current value (C_(TEST)), which loads the braking devicewith a moment that is equal to or smaller than the nominal moment(M_(NOM)) of the braking device, when the braking device is closed, andby monitoring the drive mechanism simultaneously for standstills.

Based on the invented method, the braking devices are monitored/verifiedautomatically. When the braking devices are closed and current is fed,the drive mechanism is monitored for standstills. As soon as one axis orone drive mechanism moves, an error signal, which points to the defectof a braking device, is generated via the standstill monitoring system.In particular, this design provides the opportunity of monitoring allbraking devices of a handling device simultaneously by feeding all drivemechanisms with a current value when the braking device is closed.

In a preferred version, the current value (C_(TEST)) results from themeasured braking current (C_(B)) and an offset current (C_(OFFSET))based on the relation

C_(TEST)=C_(B)±C_(OFFSET)

with C_(OFFSET)=x•C_(N)

with 0.6≦×≦1.0, preferably x=0.8

with C_(N) being a current that generates a nominal moment correspondingto the maximum nominal moment of the braking device.

If the axis or drive mechanism that is to be checked is an axis undergravity load, then the braking device is loaded with a certain momentdue to the gravity of e.g. the robot arm, which corresponds to thebraking moment. For the purpose of testing the dividing device, thedrive mechanism is fed a current value that generates a moment, whichhas an effect in addition to the moment created by gravity, in the samedirection.

According to another development, the invention provides for the currentvalue C_(TEST) to generate a moment in the drive mechanism that amountsto 60 to 90% of the nominal moment, preferably to 80% of the nominalmoment.

Furthermore, the invention includes a design for axes not subject togravity load in which the braking device can be released via an externalswitching contact and addressed via an external auxiliary energy source.This operating mode is only applied in emergency situations. Thehigher-ranking robot control mechanism and/or the monitoring device canbe turned off. In this mode, the robot mechanism can be moved manually,for example in order to release a trapped person.

In order to solve production disruptions, the invention provides for themonitoring for standstills of the remaining axes that are subject togravity load when the braking devices of a group of axes that are not atall or only insignificantly subject to gravity load, such as head axes,are released individually. This operating mode is of advantage when e.g.after a disruption in the current source with a burnt welding wire awelding robot has become jammed in an area of the work piece that isdifficult to access. In this case, the braking device can be lifted on agroup of axes without gravity load in order to move the axes manuallyinto a better position.

In a preferred version, a current supply source is added for the brakingdevices via an external control and monitoring device, with a drivecontrol that is connected to the braking device generating a signal withwhich the braking device of an axis is opened or lifted. Apart fromincreased safety, this also enhances flexibility with a variety ofmotors or brakes that are connected.

The invention furthermore relates to a method for monitoring the speedof a moveable, device-specific point of a technical system, particularlya handling device.

In order to be able to monitor the process of movement of the definedpoint in the Cartesian space, the actual status value signals arerecorded by the drive units, Cartesian coordinates of the point arecalculated from the actual status value signals through a transformationoperation, and the calculated Cartesian coordinates are compared tostored values and/or value ranges in order to generate a signal forstopping the device when the transformed Cartesian coordinates exceedthe value and/or value range.

In a preferred version, verification of a safely reduced speed occursrelative to the handling device-specific point, with a difference vectorbeing calculated by subtracting a first Cartesian coordinate set at afirst scanning point in time from a second Cartesian coordinate set at asecond scanning point in time, with a Cartesian speed of the point beingdetermined via a time difference between the first and the secondscanning point in time and with a signal being generated to stop thedrive units when the calculated speed exceeds a specified maximum speed.

In another preferred method, a so-called brake ramp monitoring processoccurs, where upon the triggering of a signal for stopping the device astarting speed of the point is determined and stored, where after agiven time period the current speed is determined and compared to thestarting speed and where then, when the current speed after the timeperiod is equal to or larger than the starting speed, a signal isgenerated to immediately stop the device.

Further developments result from the sub-claims, which include at leastin part invented versions of the inventions.

BRIEF DESCRIPTION OF THE DRAWINGS

Further details, advantages and features of the invention do not onlyresult from the claims, the features derived therefrom—either on theirown and/or in combination—, but also from the following description ofthe versions described in the figures.

They show:

FIG. 1 diagrammatic view of a technical system, comprising a handlingdevice that is arranged in a protective room,

FIG. 2 a logic diagram of a control system used to control and/orregulate the handling device,

FIG. 3 a logic diagram of a monitoring and control device,

FIG. 4 a logic diagram for addressing a power level,

FIG. 5 a logic diagram of a drive control,

FIGS. 6-9 basic circuit designs of the safety switching elementsintegrated in a hand-held programming device,

FIG. 10 a flow chart of the function “SAFE POSITION,”

FIG. 11 a flow chart of the function “SYNCHRONOUS POSITION,”

FIG. 12 basic layout of axis-specific, programmable “electronic cams,”

FIG. 13 basic layout of a Cartesian cam,

FIG. 14 a flow chart for monitoring axis-specific electronic cams,

FIG. 15 a flow chart for monitoring a Cartesian cam,

FIG. 16 a speed diagram for depicting the function “brake rampmonitoring,”

FIG. 17 a pulse diagram to explain the release of the function “safelyreduced speed,”

FIG. 18 a flow chart to explain the function “safely reduced speed,”

FIG. 19 a pulse diagram to explain the function “TILT OPERATION,”

FIG. 20 a pulse diagram to explain the function “PULSE OPERATION,”

FIG. 21 a logic diagram to address braking units,

FIG. 22 a flow chart of the function “EMERGENCY STOP-ROUTINE,”

FIG. 23 a flow chart of the function “POWER DOWN MODE,” and

FIG. 24 a logic diagram of hardware elements that are active in case ofa power failure.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 depicts the diagrammatic view of a technical system 10 withenhanced safety requirements. In the described example, the technicalsystem 10 consists of a handling device 12, which is arranged within asafety design such as the protective room 14 together with two placementspots 16, 18, which can be fed via allocated protective doors 20, 22.The handling device 12 is described as a robot 12 in the following.

In the example described here, the robot 12 can be moved around at leastfour axes 23, 25, 27, 29, with each axis 23, 25, 27, 29 being assignedan actuator 24, 26, 28, 30, which is described as a drive unit 24, 26,28, 30 in the following. Of course the actuator can also be a contactorthat supplies the drive unit 24, 26, 28, 30 with energy. In order to beable to synchronize the robot 12 for example after a power failure, asynchronization point or contact 32 is arranged within the protectiveroom 14.

When the robot 12 is located in a position above the placement spot 18,then protective door 20 can be opened in order to feed the placementspot 16. During this phase, the position of the robot 12 is monitored ina manner as described in the following. Sensors like switching contactsof the protective door 20 are connected to actual status value signalsof the robot 12 so that a disconnection is created when the robot 12leaves its position above the placement spot 18 within a certainspecified safety area.

FIG. 2 shows a control system 34, consisting of a central and/ordecentralized control unit such as the robot control 36, the drive units24 through 30 as well as a monitoring and control device 38, which iscalled the safety controller 38 in the following. The robot control 36is connected via an interface 40 with a hand-held programming device 46and a bus line CAN_A with the drive units 24-30 and the safetycontroller 38 in a stranded manner. Furthermore, the safety controller38 is connected to the hand-held programming device 46 via a connectingline 44. The hand-held programming device 46 can also be used to programthe robot control 36, for which the interface 42 of the safetycontroller 38 is connected via a bus line CAN_C and the CAN interface 40with the robot control 36.

The drive units 24-30 have the same design, which will be explained onthe example of the drive unit 24. In order to record actual status valuesignals, the drive unit 24 has a resolver 48, which is connected to adrive control 50 with redundant design. The drive control 50 has twochannels or circuits 52, 54, with each channel containing its own CANcontroller 56, 58. The CAN controllers 56 are connected among each otherwith the bus CAN_A, which connects the drive control 50 on the one handwith the robot control 36 and on the other hand with the safetycontroller 38. The CAN controllers 58 are connected among each other viaanother bus CAN_B, which connects the controllers 58 with the safetycontroller 38. The drive unit 24 comprises furthermore a motor, a powersupply part, possibly a gear mechanism and a braking unit (not shown).

The safety controller 38 also has a two-channel design and an autonomousmicro-computer 5, 60 in each channel. The micro-computers 58, 60,respectively, are connected via a CAN controller 62, 64 with the busline CAN_B or the bus line CAN_A. Furthermore, the micro-computers 58,60 are connected to an input-output level 66 in order to connect or readsafe input and outputs. Safe inputs and outputs of the input-outputlevel 66 are e.g. connected to contacts of the protective doors 20, 22of the protective room 14. For additional data exchange, themicro-computers 58, 60 can be coupled via further CAN controllers 68, 70and an interface 72 with a higher-ranking safety bus.

The robot control 36 assumes the responsibility of all centralregulating and control tasks and is not subject to any safetyconsiderations. In particular, the robot control 36 is physicallyindependent from the safety controller 38 so that operational processesoccur in separate devices. It is planned that the safety controller isconnected via the input/output level 66 with the sensors or switchingcontacts of the protective doors 20, 22 and via the bus lines CAN_A andCAN_B with the actuators or drive units 24, 26, 28, 30 in order toevaluate, process and control the status. In accordance with the statusof the switching contacts of the protective doors 20, 22 and/or driveunits 24, 26, 28, 30, the safety controller transmits at least onerelease signal to the control unit 36 so that the robot 12 can executean operation. Afterwards, the execution of the at least one operation iscontinuously monitored by the safety controller. In case of an error,another signal is generated, with which the system 10 is transferredinto the safe status.

The next signal involves a “STOP-1” function, i.e. the signal initiatesa controlled stop, with energy supply to the drive units beingmaintained in order to achieve a stopping and interrupt energy supplyonly when the standstill has been reached.

In the robot control 36 all target status values of the respective driveunits 24-30 are calculated and transferred one after the other via thebus CAN_A to the drive units 24-30. The drive units 24-30, respectively,transfer an actual status value back to the robot control via the busCAN_A, whereupon in the robot control 36 values such as slippingdistance, towing distance etc. can be calculated.

For recording purposes of the actual status value the resolver 48 isprovided, which is mechanically coupled directly with the motor via amotor shaft. Analog actual value signals exist at the output of theresolver 48, which are digitized in the drive control 50. The resolver48 supplies the drive control 50 with information, which serves for theaxis-specific regulating of processes. In particular, a currentregulating process for the power supply part addressing the motor isachieved with the drive control 50. The actual value information,however, is not transferred via the bus CAN_A to the robot control 36,but also transferred to the safety controller 38 via the bus lines CAN_Aand CAN_B in a redundant manner in order to be monitored there.

FIG. 3 depicts a detailed layout of the safety controller 38. The safetycontroller 38 is supplied with energy by an external power supply unit74. Every micro-computer 58, 60 is assigned its own power supply part76, 78, which is connected to the power supply unit 74. The CANcontrollers 62, 64 are connected via the transceiver 80, 82 with the buslines CAN_A and CAN_B. Furthermore, the micro-computers 58, 60 areconnected via the additional CAN controllers 68, 70 and transceivers 84,86 with a higher-ranking safety bus. The interface 42 for the hand-heldprogramming device 46 is connected via the bus CAN_C on the one handwith the robot control 36 and on the other hand with the hand-heldprogramming device 46, with the bus CAN_C being physically loopedthrough within the safety controller 38.

The micro-computers 58, 60 are connected to each other via a connection88 for the purpose of data exchange. This way, the actual values thatare received in the individual channels can be compared with each other.

Alternatively to the hand-held programming device 46, the safetycontroller 38 and/or the control device 36 can also be operated via acontrol panel (not shown), whose interface is part of the safetycontroller 38 and connected to at least one micro-computer 58, 60.

The input/output unit 66 comprises an output level 92 and an input level94. The output level comprises switching transistors that can beaddressed by the micro-computers 58, 60. The input level 94 comprisesinputs to which safety switching devices such as emergency/off switchesor other switching contacts can be connected. A safety switching deviceis connected between an input of the first and second micro-computer 58,60 or an output of the first and second micro-computer 58, 60,respectively. The inputs are read inputs of the respectivemicro-computer 58, 60 and the outputs are write outputs of themicro-computers 58, 60. Actuators such as contactors can be connected tothe output level 92 for the switching of a release signal. The inputlevel 94 exists in order to be able to connect sensor such as switchingcontacts, emergency off switches, proximity switches, etc.

Generally, the technical system 12 with the appropriate control 36 anddrive units 24-30 is addressed via power supply contactors or maincontactors K1, K2, which are connected directly with an output of themonitoring and control device 38.

Alternatively, addressing can also occur in accordance with the layoutin FIG. 4, with the outputs of the monitoring and control device 38being eliminated.

FIG. 4 is a basic logic diagram for addressing the power unit of thedrive units 24-30. The monitoring switching contacts of the protectivedoors 20, 22 are connected to a safety relay component 96. Outputs ofthe safety controller 38 are connected to a second safety relaycomponent 98. The outputs of the safety relay components are coupledwith each other and address the main contactors K1, K2 of a power switch100. The drive unit is supplied with energy via the main contactors K1,K2. Addressing of the main contactors K1, K2 occurs either via thesafety controller 38, the protective doors 20, 22 or a combination ofboth signals.

The robot control 36 can address a total of 24 drive units, with thesafety controller 38 being in a position to monitor the same amount ofaxes.

The safety controller 38 receives the actual status values of therespective drive units 24-30 via the buses CAN_A and CAN_B. Both busesserve the redundant actual status value recording process. The bus CAN_Arepresents an operational bus for the robot control 36, with the busCAN_B representing a transmission circuit that is additionallyintegrated into the system in order to achieve redundancy. Since in thiscase two independent transmission mediums are involved, the occurrencetime of the second error is decisive for discovering hardware errors inone of the two transmission circuits. All information transmitted viathe buses CAN_A or CAN_B is processed in the separate CAN controllers62, 64 and made available to the respective micro-computers 58, 60. Thehigher-ranking micro-computers 58, 60 are also decoupled. Thus, this isa completely redundant system as far as the transmission medium and theprocessing of received information is concerned.

All safety-relevant signals are sent to the inputs of the input level94. This way, the safety controller 38 also assumes the evaluation ofthe sensors such as electromechanical safety switches, in addition tomonitoring tasks. Via the output level 92, actuators such as externalelectromechanical relay combinations can be selected, which can then becombined with external signals, for example protective door signals, orthe outputs of the safety controller 38 are connected directly with thepower contactors K1, K2.

FIG. 5 depicts a logic diagram of the drive control 50 with the resolver48. The drive control 50 consists of the redundant circuits 52 and 54.The circuit 52 is equipped with a micro-computer 102, which has the CANcontroller 56 as an integral component and chip. The CAN controller 56is connected to the bus CAN_A, consisting of the data lines CAN_A_H andCAN_A_L, via a transceiver 104. Furthermore, the micro-computer 102includes an internal SRAM 106, a IO control mechanism 108 as well as anIR processing device 110 and is connected to an analog-to-digitalconverter via a bus 112. An output 116 of the analog-to-digitalconverter 14 is connected on the one hand directly with themicro-computer 102 and on the other hand with the micro-computer 102 viaa divider 117.

The second channel 54 is equipped with a first signal processor 120 withinternal SRAM memory as well as an internal IR processing device 124.The first signal processor 120 is connected to a second signal processor128 via a DPRAM 126. This in turn is coupled with the micro-computer 102via a DPRAM 130. The signal processor 128 is connected to a driver 132,which controls the CAN controller 58. The CAN controller 58 is connectedto the bus CAN_B via a transceiver 134, which comprises the linesCAN_B_H and CAN_B_L.

The signal processor 120 is connected via a bus with ananalog-to-digital converter 136 on the one hand and with a controlelement 138, which contains a timer, a counter and a status generator,on the other hand. The control element 138 is furthermore connected viaa bus with the micro-computer 102. The control element 138 is alsoconnected via a bus with a frequency generator 140, which generates areference signal for the resolver 48. For this purpose, an output of thefrequency generator 140 is connected to an input 142 of the resolver.And finally, the control element 138 has another output, where the SOC(start of conversion) signal can be found. This output is connected toan input of the analog-to-digital converters 114, 136.

The resolver has a first output 144, where a sine signal can be found.The first output 144 is connected to an input of the analog-to-digitalconverter 114, 136 via an amplifier. Furthermore the resolver has asecond output 146, where a cosine signal can be found. The second output146 is connected to an input of the analog-to-digital converters 114,116 via an amplifier. The resolver 48 is coupled via a shaft 148 and amotor 150. The resolver 48 is adjusted synchronously to the motorphases.

With reference to FIG. 2 it should be noted that the drive control 50represents a self-contained unit, with the safety controller 38exercising no influence whatsoever on the drive control 50. When thedrive control 50 detects an error, this message is sent directly to thesafety controller 38 or a pulse block is activated in the drive control50, i.e. the transmission of actual value information is stopped. Sincethe safety controller 38 has a time expectancy circuit towards actualvalue signals, the lacking of these actual value signals leads to thefact that the main contactors K1 and K2 are turned off by the safetycontroller, thus transferring the system into a safe condition.

Generation of the actual value occurs by feeding the resolver 48 areference signal via the input 142. The reference signal is generated inthe reference frequency generator 140, which is selected by the controlelement 138. A central timer, which generates pulses for a counting stepand a status generator connected to it, is integrated in the controlelement 138. At the peak of the reference voltage the SOC (start ofconversion) signal for the analog-to-digital converters 114, 136 can befound. Apart from a coil that is fed the reference signal, the resolver48 is equipped with two additional coils, which are preferably coupledwith the motor shaft and where a sine and a cosine current can be found.

The reference coil is specified the reference signal, which is coupledinductively onto the sine and cosine coils. Depending on the position ofthe sine/cosine coil, a sine/cosine signal is obtained at the outputs144, 146 with constant amplitude and frequency. Depending on theposition of the rotor, a phase displacement (0 . . . 360°) occursbetween the reference signal and the sine or cosine signals. At the peakof the reference signal or reference voltage, the sine and cosinesignals are scanned, and an actual position is calculated from the ratioof the two amplitudes within one resolver revolution. A rotation angle φof 0 to 360° corresponds to an actual value of 0 to 4096 increments fora resolution of 12 bit. The resolver 48 must be adjusted synchronouslyto the motor phase in order to provide maximum torque. This means thatthe phase angle φ=0 is to be set. When the phase angle becomes larger,the torque of the motor decreases continuously and is exactly zero atφ=+90° and φ=−90°. When the phase angle exceeds φ=±90°, a pole reversalof the direction occurs, i.e. a positive speed specification has theeffect that the motor turns in the negative direction. This would turnthe control circuit into an unstable condition, and the motor could nolonger be controlled.

In order to recognize such a pole reversal in the direction, the motorcontrol should be provided with speed plausibility check. Here, the signof the target speed or status value is constantly compared to the signof the actual speed or status value.

If both signs are contrary over a defined period of time, one canproceed on the assumption that a reversal in the direction exists.Observation over a defined period of time is necessary to keep themonitoring process from not responding in the case of operationalcontrol fluctuations.

The sine or cosine signals that exist at the outputs 144, 148 of theresolver 48 are fed to the analog-to-digital converters 140, 136. Oncethe conversion has occurred, the analog-to-digital converter 136provides an EOC (end of conversion) signal, which starts the operationalsystem cycle of the signal processor 120. It is only when the operatingsystem cycle runs properly that the appropriate actual status values areforwarded via the DPRAM 126 to the signal processor 128, which transfersthem via the driver 132, the CAN controller 38 and the transceiver 134to the bus CAN_B, via which the actual values are transferred to thesafety controller 38. Should the operating system cycle not be triggeredproperly, a “STOP-0” signal, i.e. safe stop of operation, is sent to thesafety controller 38 via the bus CAN_B. The error message “STOP-0”affects a stopping of the system by immediately turning off power supplyto the drive units, which is also called uncontrolled stopping.

Upon successful conversion of the input signals, the analog-to-digitalconverter 114 supplies an EOC signal (end of conversion), which is sentinto an interrupt input of the micro-computer 102 via the timer 118.Internally, the time between two received EOC interrupts is measured inorder to check for a deviation of the reference frequency from thefrequency standard, preferably 7.5 kH, or complete non-existence of thereference frequency, e.g. when the central timer fails. In this case apulse block is activated, and a signal “STOP-0” is sent to the safetycontroller 38 via the bus CAN_A.

As soon as the signal processor 122 receives the EOC signal an internaltimer is triggered, which is decremented in a cyclical administrativepart of the operating system and responds when the counter reaches zero,i.e. when the EOC signal fails. In this case the pulse block isactivated as well. The pulse block switches the motor to the“torque-free” status. When the watchdog is selected, a hardware test istriggered and the safety controller 38 transfers the system 12 into asafe condition.

Additionally, the invention provides for a variety of measures for errorrecognition and error treatment. In order to check the analog-to-digitalconverters 114, 136 of the reference frequency generator 140 as well asthe outputs 144, 146 of the resolver 48, a plausibility check isconducted. The plausibility check occurs through the two amplitudes ofthe sine/cosine signals of the resolver 48 in such a way that the sum ofthe amplitude squares (sin φ)²+(COS φ)² is ideally the sum x with x inthe range of 0.9≦×≦1.1, preferably x=1. In order to suppress a selectionof the plausibility check due to disruptions such as noise in the signallines, the sum x is assigned a defined tolerance window. A prerequisitefor the plausibility check is the standardization of the sine/cosinesignals, which are established once and are not changed thereafter.

In the case of non-plausible amplitudes for the sine and cosine signals,each channel 52, 54 sends the “STOP-0” signal separately to the safetycontroller 38. Formation of the actual value and the plausibility checkare conducted redundantly in the micro-computers 102, 120, with themicro-computer 102 working at a reduced recording rate. Recording every32 periods corresponds to 32×132 μs=4.2 ms (10 ms/Rev at 6,000 RPM max).The micro-computer 102 sends its actual values via the bus CAN_A, andthe micro-computer 120 sends its actual values via the signal processorand the bus CAN_B to the safety controller 38, which checks the receivedvalues and acts as a safe comparison element. At the same time, themicro-computers 102 and 120, 128 conduct an internal cross-comparisonvia the DPRAM 130 and react in the case of errors by actuating the motorbrake, activating the pulse block and sending the signal “STOP-0” viathe buses CAN_A and CAN_B. It should be noted here that activation ofthe pulse blocks stops the motor more quickly than the safety controller38.

In order to monitor the statistical offset between the transmitter andthe engine shaft or to monitor a mis-adjustment of the resolver 48 aswell as to monitor a dynamically controlled slippage between theresolver 48 and the engine shaft 148, a speed plausibility check isconducted. The speed plausibility check is also conducted redundantly inthe micro-computers 102, 120. Both micro-computers 102, 120 sendindependently from each other the signal “STOP-0” to the safetycontroller 38 via the buses CAN_A or CAN_B in case of a responsivemonitoring process. The speed plausibility check can only work properlyif the status and speed control is active, i.e. during normal operationwhen the drive mechanism are turned on.

In a so-called “power down mode,” i.e. the drive mechanisms have nooperating voltage, a standstill check is conducted by themicro-computers 102, 120, by recording the actual values of the drivemechanisms. If a change to the actual values occurs that is beyond a settolerance limit, a marker “machine asynchronous” is set in themicro-computers. The two asynchronous markers are sent to the safetycontroller 38 upon restarting and compared there.

Furthermore, a speed plausibility check is conducted in order torecognize a pole reversal in the direction on the drive mechanism. Thesign of the target speed or status value is constantly compared with thesign of the actual speed or status value. If both signs are contraryover a defined period of time, one can proceed on the assumption that areversed direction exists. Observation over a defined period of time isnecessary to prevent that the monitoring process responds in the case ofoperational control fluctuations. The permissible control fluctuationmust be defined.

In the case of a phase offset between the resolver 48 and the engineshaft 148 that is smaller than ±90° as well as in the case of adynamically uncontrolled slippage of the resolver on the motor shaft148, a two-channel towing distance monitoring phase is triggered in thesignal processor 128 as well as the micro-computer 102. At first, theactual status value is subtracted from the target status value (controldeviation). After that, it is checked whether the determined controldeviation is within the tolerance setting. When the tolerance range isexceeded, the micro-computer 102 and the signal processor 128 requestthe signal “STOP-0” from the safety controller 38. The towing distanceexamination is conducted in every status control cycle, which ispreferably 2 ms.

Furthermore, internal error detection mechanisms are triggered in themicro-computer 102 and the micro-computer 120. The EOC signal of theanalog-to-digital converter 114 is sent to the micro-computer 102 viatwo interrupt inputs 152, 154. The input 152 is fed the EOC signaldirectly, while the input 154 receives the EOC signal after it haspassed the programmable divider 118, preferably at a division ratio of1:32. During normal operation, only the input 154 is active. In the“power down mode” only the interrupt input 152 is active since thedivider component 118 is idle in the “power down mode.” During normaloperation, the time between two operating system runs is preferably 2ms, smaller than the time between two EOC signals, preferably 4 ms. Ifan EOC signal exists on the interrupt input 154, an interrupt routine istriggered, in which the following operations are conducted: First aninterrupt marker is set, then a counter (value range 0 . . . 2000 ms) isread and memorized, and then the digital value that is fed via the bus112 is read and stored. The operating system checks the interrupt markerin every run in order to see whether an interrupt had occurred beforethat. If no interrupt occurred, only an operating system cycle counteris incremented. If an interrupt occurred, however, the exact timebetween two EOC signals and thus the frequency is determined from thedifference between the timer counter (up-to-date) minus timer counter(predecessor) and from the number of operating system cycles.Furthermore, the stored converted digital value is processed, and theoperating system cycle counter, as well as the interrupt marker, are setto zero. If after a defined number of operating system runs no interruptis recorded, one can proceed on the assumption that a hardware errorexists in the central timer 138.

No frequency examination of the EOC signal occurs in the micro-computer120, only the existence of the EOC signal is checked with a softwarewatchdog. When the EOC signal arrives at the micro-computer 120, aninterrupt occurs, thus winding an internal timer, which is decrementedin a cyclical administrative part (waiting for interrupt) of theoperating system and responds when the timer is at zero, i.e. when theEOC signal has failed. In this case, the pulse block is activated.

When the pulse block is activated, a control input of an IGBT part istaken back, thus making the drive mechanism “moment-free.” For thiscontrol input, the driver signals of channel 52 and channel 54 arecombined with each other in a piece of hardware. If a driver signal of achannel 52, 54 is taken back, the pulse block in the IGBT is set.Selection of the pulse block occurs in a two-channel manner and becomesonly single-channel after combination in the hardware.

The following should be noted for actual value recording by the safetycontroller 38. The operational bus CAN_A serves as the first channel tothe safety controller 38 for redundant actual value recording. Apartfrom actual value signals, operational data is also transferred on thisbus. The transmission speed can be up to 1 Mbit/s. Since the bus can beloaded up to 92%, the data bites are not secured at a higher-rankinglevel. The safety controller 38 filters the actual value signals fromthe information that is available.

The second channel is an additional physically separated bus CAN_B. Itsfunction consists of connecting the two channels 54 of the drive unitswith the second channel of the safety controller 38 for actual valuerecording purposes. The data generated in the channel 54 of the drivecontrol 50 is put on the bus CAN_B independently of the channel 52. Thisway, redundant independent data transmission occurs to the safetycontroller 38. In the safety controller 38, the data is accepted withseparate transceivers 80, 82 and processed with separate CAN controllers62, 64.

If a message exists at the transceiver 80, 82, it is reported to the CANcontroller 62, 64. The CAN controller 60, 64 decides whether thismessage starts with the identifier that was declared to be the actualvalue information. If this is the case, it triggers an interrupt in themicro-computer 58, 60. The micro-computer 50, 60 selects the CANcontroller 62, 64. When the micro-computer 50, 60 has received allactual values within a defined period of time, the transformationroutines start. This process occurs independently in bothmicro-computers 50, 60.

The robot control 36 and/or the safety controller 38 are programmed viathe hand-held programming device 46. The hand-held programming device 46is connected to the safety controller 38 and the bus CAN_C via aflexible line 44 in order to transmit programming instructions from thehand-held programming device 46 to the robot control 36. This bus lineis looped through within the safety controller 38 and has no electricalconnection with the internal components such as the micro-computers ofthe safety controller 38.

Apart from the operational functional keys, the hand-held programmingdevice 46 contains safety-related switches or sensing devices such asthe emergency off switch, operating mode selection switch, permissiveswitch, on switch and off switch. The design of the safety-relevantswitching elements of the hand-held programming device 46 are explainedwith FIGS. 6 through 9.

An emergency off switch 156 (FIG. 6) that is integrated into thehand-held programming device 46 is monitored for cross circuits becausethe supply line 44 is subjected to considerable strain. Cross circuitrecognition is realized with the help of pulses generated by switchingelements 158, 160 via one channel 162, 164, respectively. The channelsor lines 162, 164 are connected to an external supply voltage devicewithin the hand-held programming device 46 via the switching elements158, 160. The lines 162, 164 are connected to the inputs 168, 170 of thesafety controller 38. The switching elements generate a cycle fortesting the lines 162, 164 within semi-conductor groups in the safetycontroller 38. This cycle has a time expectancy status compared to thecycle that is generated. If a channel 162, 164 is fed a cycle, all otherinputs 168, 170 are monitored for input status changes. The release ofan output is only permitted after the hand-held programming device 46has sent the respective pulses via the emergency off channels 162, 164and time expectancy was set.

Furthermore, the hand-held programming device 46 is equipped with anoperating mode selection switch 172 (FIG. 7), which has the design of akey-operated switch. The hand-held programming device generates a cyclevia a clock generator 174, which differs from the cycle of the emergencyoff device. The position of the operating mode selection switch 172 issubjected a plausibility check. The operating mode selection switch hasthree make contacts 176, 178, 180 in the version described here, whileone make contact of the operating mode selection switch 172 must alwaysbe closed and two make contacts always have to be in the open status.Only one position of the operating mode selection switch is accepted.Overall, three function types can be set. The function type “AUTO” isonly possible when the protective screen (20, 22) is closed. The“SETTING” function is monitored for safely reduced speed, as explainedin the following, and the “AUTO TEST” can only be executed with help ofthe permissive switch 182.

FIG. 8 depicts the function of the permissive switch 182. The permissiveswitch is connected to the supply voltage device 166 via a clockgenerator 184. An input 186 of the safety controller 38 monitors thecycle of the clock generator 184. The permissive switch has the designof single-channel, three-step selecting device. Only the middle step(ON) is evaluated.

The drive devices are turned on with a commercially available, notsafety-related switch 188 of the hand-held programming device 46.Information is read into the robot control 36 via the CAN_C and passedon the safety controller 38 via the bus CAN_A. The function “DRIVEMECHANISM OFF” is triggered with a commercially available switch withbreak function. This function can occur from a random number of places.The information is read into the safety controller 38 and passed on therobot control via the bus CAN_A.

As was mentioned above, the safety controller 38 and/or the robotcontrol 36 can be parameterized via the hand-held programming device 46.The hand-held programming device includes operating or user software.Upon complete parameterization, the operator must conduct an acceptanceinspection test and check safety-relevant functions. Safety-relevantdata that cannot be changed, which must be loaded as basicparameterization, can be loaded via a serial interface with the help ofa PC. All loaded data is sent back from the safety controller 38 to thePC in a different format and presentation for the purpose ofconfirmation by the user. The user must confirm the received data.

According to the state of the art, handling devices have mechanical camsthat secure the appropriate safety areas. These cams are located eitherdirectly on the robot axes or, in the case of linear motors, these camsare e.g. designed as limit switches at the end of the path.

According to the invention, the movements of the robot 12 around itsaxes are secured with “electronic cams.” The “electronic cam” is storedas a value range in the memory of the micro-computer 58, 60 in thesafety controller 38, and a certain movement range of the robot isassigned to it, with the stored values being compared with transmittedactual status values via the buses CAN_A and CAN_B. As long as the drivemechanism, i.e. the actual status values, are in the defined area of theelectronic cam, this will be defined as a correct function. The axis tobe monitored is located in its target status. When the electronic cam,i.e. the stored value range, is left, the axis leaves its target statusand the safety controller 38 takes back an output that is allocated tothis value range. This output can affect the main contactors K1, K2directly or can be connected to external protective devices, such asprotective door contacts 20, 22, via a relay combination.

When an operator wants to enter the protective room 14, a safetyposition or “SAFE POSITION” is selected. In this case, all axes 23-29are monitored for standstills. The safety position can be selected orrequested automatically, with active monitoring of this functionoccurring automatically through the monitoring and control device whenit is requested from the robot control 36.

When the safety position is requested from the robot control 36, therobot 12 moves into a defined position. When all drive units 24-30 orall axes 23-29 have come to a standstill, the safety controller 38 setsan output in the output level 92. This output is connected, for example,with a safety contact of the protective door 20, 22. The protective door20, 22 can be opened without an error message generating adisconnection, since the robot 12 is being monitored for standstills.When one of the drive units 24-30 or one of the axes leaves themonitored position, the safety controller 38 takes back the previouslyset output. This output is connected externally with the protective door20, 22 in accordance with Control Category 3 as defined in EN 954-1.When the protective door 20, 22 is opened while one or several driveunits 24-30 are moving, the output of the safety controller 38 dropswhen the protective door 20, 22 is opened and the main contactors K1 andK2 are no longer supplied with energy (see FIG. 4).

FIG. 10 shows a flow chart 190, in which the process steps for settingthe safety position (SAFE POSITION) are shown. The program processoccurs redundantly in the micro-computers 50, 60 of the safetycontroller 80. An explanation will be provided with the help of theprogram process in the micro-computer 58 (CPU 1). In a first step 192,the robot control 36 requests the safety position via the bus CAN_A. Therespective micro-computers 58, 60 are fed the redundant actual statusvalue via the buses CAN_A and CAN_B through input 194, 194′. Receipt ofthe request of the robot control starts the program process with a step196, 196′. In a second step 198, 198′ a query is started to find outwhether a request for the safety position exists. If there is a request,the current actual status value of all axes is compared with the safetyposition in a next program step 200, 200′. In a next program step 202,202′, an examination is conducted as to whether the actual status valueis within the range of the safety position. If this is not the case, anerror message is generated in a program step 204, 204′, with which thesafety position is set back and the drive mechanisms are turned off.

If the actual status values are within the range of the safety position,the status is transferred from the micro-computer 58 to themicro-computer 60 and vice versa in another program step 206, 206′. Inthe program step 208, 208′, a comparison is performed as to whether thestatus of the micro-computer 58 corresponds to the status of themicro-computer 60, and vice versa. If this is not the case, an errormessage is generated in the program step 210, 210′, and the robot istransferred into a safe status. If the status of the micro-computer 58corresponds to the status of the micro-computer 60 and vice versa, anoutput “SAFE POS_1” and “SAFE POS_2”, respectively, is set in the outputlevel 92 by each micro-computer 58, 60 in a program step 212, 212′.After that, in program step 214, 214′, the output “SAFE POS_2” is readback by the micro-computer 58, or the output “SAFE POS_1” is read backby the micro-computer 60. A program step 216, 216′ checks whether theoutputs “SAFE POS_1” and “SAFE POS_2” have the same status. If this isthe case, this information is sent to the input 198, 198′ with theprogram step 218, 218′. Otherwise an error message is generated with theprogram step 220, 220′, the outputs are set back and the drivemechanisms are turned off.

When the robot control starts up, a safe synchronous position isrequired. A flow chart for setting the synchronous position is shown inFIG. 11. After turning them back on or after “POWER ON,” the redundantmicro-computers 102, 102 of the drive control 50 check each other'sactual status values that were stored in flash memory 111, 125 when theywere turned off. Since the resolver 48 only works absolutely on onerevolution, the mechanical position of the robot 12 must be safelysynchronized to these actual status values in an additional routinestep. This occurs by moving into the synchronization position 32. Anevaluation is performed by the safety controller, shown in FIG. 11 withthe flow chart 222. Initially, in a first program step 224, 224′,information about the actual status values upon connection is sent viathe buses CAN_A and CAN_B to the respective micro-computers 58, 56.

Upon start of program step 226, 226′, it is found in another programstep 228, 228′ that automatic operation for the robot 12 after “POWERON” has not been released. With the next program step 230, a query isrun whether a request for setting the synchronous position has occurredvia the bus CAN_A. After that, in a program step 232, a request occursfrom the micro-computer 58 to the micro-computer 60 for setting thesynchronous position, whereupon a query is started in a program step234. If no request for setting the synchronous position occurs, programstep 228, 228′ is followed and automatic operation for the robot 12 isnot released after “POWER ON.”

If a request for setting the synchronous position has been received, itis checked in a next program step 236, 236′ whether the synchronousposition has been reached. Should this position not be reached, an errormessage is generated in program step 238, 238′, and the robot is movedinto a safe position. When the synchronous position has been reached, astatus transfer is initiated between the micro-computers 58, 60 with aprogram step 240, 240′. After that, in program step 242, 242′, anexamination is performed whether the status of the micro-computer 58corresponds to that of the micro-computer 60. Should the status notagree, an error message is generated in program step 244, 244′, and therobot is switched into a safe status. If the status agrees, an inputSYNC POS_1 of the micro-computer 58 or an input SYNC POS_2 of themicro-computer 60 is checked in program step 246, 246′. If there is nosignal on the inputs, a program step 248, 248′ generates an errormessage, which indicates that the robot is not synchronous due to adefective synchronization switch. On the other hand, automatic operationis released in the case of synchronous robots in a program step 250,250′.

In the example described here, the synchronous position is defined bythe synchronous switch 32. The synchronous switch can be activated bythe robot 12 when the synchronous position has been reached, orotherwise an operator can acknowledge the synchronous position manually.The synchronous position must be unambiguous. It must not be reachedthrough any other angle combination of the robot axes. An inaccuracy ofthe safety position switch of about 5 to 10 mm is acceptable for humansafety.

In every case, the protective doors 20, 22 must be closed when the robotmoves into the synchronous position or the synchronous switch, otherwisemovement of the robot must occur via a permissive switch. It is onlywhen program step 250, 250′ safely indicates correct synchronizationthat all monitoring processes start. The request to the safetycontroller 38 to monitor the synchronous position occurs via the robotcontrol 36 and via the bus CAN_A as soon as the robot control haspositioned the robot in the synchronous position.

FIG. 12 shows the diagrammatic view of movement ranges of the axes252-262, which are equipped in certain angle ranges with axis-specific,programmable “electronic cams” 264-274. These cams 264-274 apply only tothe respective axes 252-262. The electronic cams 264-274 of theindividual axes are permanently monitored by the safety controller 38 inaccordance with a flow chart 276 depicted in FIG. 14.

In a program step 278, the axis-specific cams are entered into an actualvalue table. Furthermore, in program step 280, 280′, the respectivemicro-computers 58, 60 are fed the actual status values of theindividual drive units 24-30 or appropriate axes 252-262. After theprogram start 282, 282′, a comparison is performed of e.g. the actualstatus value of the axis 252 to the appropriate value table, in whichthe cam 264 is defined. Should the actual status value of e.g. the axis252 be within the range of the electronic cam 264, a program step 286,286′ decides that a status transfer to the micro-computer 58 or themicro-computer 60 occurs in the program step 288, 288′. Program step290, 290′ checks whether the status of the micro-computer 59 correspondsto the status of the micro-computer 60, and vice versa. If thisverification is negative, an error message is generated in a programstep 292, 292′, and the robot 12 assumes a safe status. Otherwise, in aprogram step 294, 294′, a first output “cam 262_1”, which is allocatedto the cam 264, is set by the micro-computer 58, and a second output“cam 264_2” is set by the micro-computer 60. In another program step296, 296′, the outputs are read back crosswise. As long as the outputsdisplay the same status, a signal that the safe cam has been reached isgenerated in a program step 298, 298′; otherwise, an error message isgenerated in a program step 300, 300′, the cams are set back and thedrive mechanisms are turned off.

The number of outputs of the safety controller 38 depends on therespective application. The electronic cams of the respective axes 252through 262 can be programmed freely by the user. FIG. 13 shows theprinciple of a Cartesian cam. A Cartesian cam 302 forms a spatial area,preferably a cuboid, within the entire movement range of the robot 12.The actual status values are calculated through kinematic transformationonto a handling device specific point 304 such as a robot flange or TCP(tool center point). An appropriate transformation routine exists in themicro-computers 58 or 60. Through matrix operations, Cartesiancoordinates in the Cartesian space are calculated from the receivedactual status values. In the appropriate matrices, such asDenavit-Hardenberg matrix, a kinematic chain of the robot axes isformed, e.g. a vertical bend robot or a horizontal swivel arm robot etc.These matrices are different for different robot kinematics. Thetransformation algorithm, however, is the same for all kinematics.

The Cartesian cam 302 enables the monitoring of the robot axes 252-262,with outputs being activated in the output level 92 of the safetycontroller 38 when the robot 12 is located in a defined position orwithin a range defined in the space. If the robot 12 has not reached thedesired position or is not located in the appropriate area, thespecified output is deactivated.

The Cartesian cam 302 can be programmed randomly by the user. SeveralCartesian cams can be programmed as well. The number of cams isdetermined by the maximum expansion of safe inputs and outputs on thesafety controller 38. Calculation/setting of the Cartesian cams occurswhile taking the braking distance of the respective axis intoconsideration. As already mentioned, the electronic cams can be definedon a Cartesian basis both for each axis individually, as shown in FIG.12, or for the sum of all axes, as depicted in FIG. 13. Programming ofthe cams is performed via tables. One table is provided for each axisand an additional table for the Cartesian monitoring process. In everytable, a maximum of 16 cams can be programmed. In every cycle, eachtable is run in order to check whether an axis is located on aprogrammed cam or whether the Cartesian position is on a cam. If this isthe case, an output, which is also programmed in the table, is set. Thefollowing example will illustrate this:

EXAMPLE

Cam Table for Axis 1 (analog to this example also axes 2 . . . 24): CamNo. Cam Start Cam End Output No. Level  1 O Degrees 10 Degrees 10 1  2170 Degrees 180 Degrees 11 1 . . . 50 mm 90 mm . . . . . . . . . . . . .. . . . . . . . 16 . . . . . . . . . . . .

Cam Table for Cartesian Monitoring: Cam No. Cam Start Cam End Output No.Level  1 X = 10 mm X = 2000 mm Y = 100 mm Y = 1900 mm Z = 1000 mm Z =1500 mm 10 1  2 X = 1000 mm X = 4000 mm Y = 1500 mm Y = 5000 mm Z = 1200mm Z = 1500 mm 11 1 . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . 16 . . . . . . . . . . . .

The monitoring or setting of the Cartesian cam is decribed with a flowchart 306 in FIG. 15. The values or value ranges of the safe Cartesiancams are made available to the micro-computers 58, 60 in a program step308. In the program steps 310, 310′, the micro-computers are fed thesafe actual status values via the buses. After start in accordance withprogram step 312, 312′, initially robot kinematics, which in particularcan comprise a maximum of 2*9=18 axes, is transformed in a program step314, 314′, and the Cartesian actual value of the point 304 iscalculated. In program step 316, 316′, the calculated Cartesian actualvalue of the point 304 is transferred to the other micro-computer.Otherwise a comparison occurs with program step 318, 318′ as to whetherthe Cartesian actual values of the micro-computers 58, 60 agree. If theCartesian actual values differ, an error message is generated in theprogram step 320, 320′, and the robot is switched into a safe status.After that, in program step 322, 322′, the actual status values of theTCP are compared to the actual values stored in the table for theappropriate cam. Program step 324, 324′ decides whether the actualstatus values are within the range of the appropriate cams. If this isthe case, in program step 326, 326′ each micro-computer 58, 60 sets anoutput that is allocated to the respective cam. Otherwise program step314, 314′ is followed. In program step 328, 328′ the respective outputsare read back crosswise. If both outputs have been set, it is decidedwith program step 330, 330′ that the safe cam has been reached. If thestatus of the outputs does not agree, an error message is generated inprogram step 332, 332′, the cams are set back and the drive mechanismsare turned off.

With a so-called “setting operation,” the robot or a robot flange is tobe moved at a safely reduced speed. The basis for the safely reducedspeed is the safe actual status values of the axes 252 through 262. Theactual status values are recorded in intervals of equal duration andconverted into Cartesian space coordinates through kinematictransformation and calculated for the point 304. A Cartesian speed ofthe point 304 is calculated from two transformed position values throughdifferentiation and compared to a maximum permitted speed. When themaximum permitted speed is exceeded, a monitored function such as “STOP1” is initiated immediately, with the drive units 24 through 30 beingstopped in the fastest possible manner, while the energy supply to thedrive units is maintained. Based on the relevant standard, the TCP mustoperate during the setting operation with 250 mm/s max.

The monitoring software must be processed cyclically, while notexceeding a cycle rate (error tolerance time). A cut-off branch includesone transistor driver and the main contactors K1, K2, which also havecut-off times. The cycle time must be established in accordance with theachieved maximum speed in the operating modes SETTING and AUTOTEST,unfavorable axis positions, e.g. in the case of large ranges, the robotkinematics and specified error tolerance time. The effective stoppingtime is within the range of common switching devices with contacts.

The setting of kinematics, i.e. definition of the kinematic chain, axislengths, gear data etc. as well as adjustments of the maximum movingspeed (250 mm/s max.) are performed once in an initialization phase whenthe robot control 36 is started up. During this process it must beensured that the initialized data is recorded by the micro-computers 58,60 of the safety controller 38, safely stored and protected from writeaccess. The parameters are measured with the help of the robot control36 and calculated, and must then be verified and confirmed by anoperator.

As was mentioned above, the function “STOP 1” is monitored for acontrolled fast reduction in speed of the point 304 as follows:According to the invention, a brake ramp monitoring process isperformed. In the case of Cartesian brake ramp monitoring, it is to bechecked whether the robot 12 reduces its speed when e.g. a “STOP 1” or“STOP 2” function has been triggered. For this, the actual speed orstatus values of the axes are read at time intervals and transformed ina Cartesian manner. This way, the Cartesian space coordinators of e.g.the tool center point (TCP) or a tool tip are calculated for thecurrently adjusted tool. By subtracting a Cartesian data set in a firstscanning point in time from a data set in a second scanning point intime, one obtains a difference vector. A Cartesian speed can bedetermined in the space for the tool tip from the resulting differencein time between two scanning points. The calculated speed must bereduced after recognizing a “Stop 1” or “Stop 2” function, which istriggered e.g. with a stop switch or an emergency off switch. If this isnot the case, a function “STOP-0” must be performed.

Brake ramp monitoring will be described with the help of the diagram 334shown in FIG. 16. The time t is entered via the abscissa 336 and thespeed n is entered via the ordinate 338. At the time T0 a stop functionis triggered, and a speed Nx measured at that time is stored. This speedis shown in the diagram 334 as parallel 340 to the abscissa 336. T maxis a point in time after n cycles, after the main contactors K1, K2 havebeen released. The line 342 depicts the current revolution or speedwhich corresponds to the revolution n=Nx at the time T0 and the speedn=0 at the time Tmax.

At the time T1, the current speed is compared to the starting speed Nx.If the Cartesian speed calculated from the revolutions at the time T1 isequal to or larger than the starting speed calculated from Nx, thefunction “STOP 0” is triggered immediately. However, if the speed at thetime T1 is smaller than the starting speed, the function “STOP 1” isperformed until the time Tmax. After the time Tmax, the function “STOP0” is performed automatically.

In order to protect the system from unexpected start-up, it incorporatesthe measures shown in FIG. 17. Initially, the key-operated selectiveswitch 178 is put into the “SETTING” position, and all moving switchesare checked for “not active.” At this time, it is being checked for asafe stop. One time actuation of the permissive switch 182 initiates themonitoring process of the safely reduced speed by the safety controller38. After this time, the robot 12 can be moved with the standard movingswitches. However, if the robot 12 is in a non-moving position longerthan the time period Tx, i.e. no moving switch was actuated, the systemis monitored again for a safe stop. For a renewed start-up, thepermissive switch 182 must be actuated again.

The flow chart 344 depicted in FIG. 18 shows the monitoring process ofthe safely reduced speed. In a first program step 346, 346′, the safeactual status values are conveyed to the micro-computers 58, 60 of thesafety controller 38. After start-up of the micro-computer in programstep 348, 348′, the actual status values are transformed in a kinematicmanner in the program step 350, 350′, and the actual speed of the pointor of the robot flange 304 is calculated. Afterwards, in a program step352, 352′, the calculated actual speed is transmitted from themicro-computer 58 to the micro-computer 60, and vice versa. In theprogram step 354, 354′, a query is run as to whether the actual speedsthat were calculated in the respective micro-computers 58, 60 areidentical. If the speeds are not identical, an error message isgenerated in a program step 356, 356′, and the drive mechanisms areturned off. Otherwise, the examination of the safely reduced speed isconcluded with the program step 358, 358′.

In some application cases, when the robot 12 is to perform tasks such aspainting, it becomes necessary to move the robot during the settingoperation with its operating speed. First, an operator must select theoperating mode “AUTO-TEST” with the key-operated switch 180 that isintegrated in the hand-held programming device 46. In a next step, it isnecessary to move the three-step permissive switch 182 into the middleposition.

Now the robot starts its movement, this means that a release signal 362is set as soon as the start moving switch 360 is actuated. When thestart moving switch 360 is released, the release signal 362 is set back,and the robot is stopped with a function “STOP 2.” The function “STOP 2”signifies a controlled stop, during which power supply to the driveunits is maintained.

During a so-called “TILT OPERATION”, the safety controller 38 triggers afunction “STOP 1” as soon as the permissive switch 182 leaves its middleposition after the start moving switch 360 has been actuated. If thestart moving switch 360 is released first and then the permissive switch182, the robot 12 is monitored automatically for standstills, i.e.function “STOP 2.”

During so-called “PULSE OPERATION,” which is shown in FIG. 20, aone-time actuation of the moving switch 360 is necessary in order toactivate the release signal 362, while the key-operated switch 180 isturned on, the permissive switch 182 has been actuated and is in themiddle position and the start moving switch 360 has been actuated.

Furthermore, an operating mode “AUTOMATIC OPERATION” can be selected viathe key-operated switch 176. This operating mode can only be executedwhen the protective doors 20, 22 are closed. With this operating mode,no particular requests are placed with the safety controller 38.

FIG. 21 depicts a brake control system in accordance with the inventionin the basic logic diagram 364. The brake control process is executedvia the safety controller 38, to which a service module 366 is connectedvia safe inputs 368, 370. Serial contactors contacts 376, 380 areactuated via safe outputs 372, 374, with the contacts directing a 24 Vbrake supply voltage to the drive units 24 through 30 via an externalcontrol transformer 380. The drive units 24 through 30, respectively,are equipped with an electronic switching element 382, 384, which isconnected to the redundant circuits or channels 52, 54 of the drivecontrol 50 via an AND element 386, 388. An output 390, 392 of the driveunits 24 through 30 is connected to a braking device 394, 396 of therespective drive units. Axis or drive units without gravity load areconnected via an emergency switch also with an external 24 V brakesupply voltage 400 that is not connected to the main switch of thecontrol units. The connected brake devices can be lifted via theemergency switch 398, even if the power supply for the control unit isswitched off at the main switch. The power switch 376, 378 for the brakesupply voltage is set up externally. This enhances flexibility towardsthe number and power requirements of the connected motors or brakes.During normal operating mode, the outputs 372, 374 switch parallel tothe outputs for selecting the contactors K1, K2. Should no otheroperating mode be required, the switching elements 376, 378 can becontacts of the power contactors K1, K2.

For the purpose of examining the running characteristics of the robot,in particular of gear mechanisms or other mechanical elements, by aservice technician, the robot is switched to a “SERVICE MODE” operatingmode. In this case, the braking device 394 of an axis that is to bechecked, for example, must be lifted manually. When in service mode, therobot is being monitored by the service technician. The service mode canbe activated at various levels (danger categories). On the one hand, theservice mode can be set by selecting a menu in the hand-held programmingdevice 46, and on the other hand, energy—for example power for thebrakes—can be released by actuating the service module 366, which isconnected to the safe inputs 368, 370.

The following operation is provided for the operating mode “SERVICEMODE,” i.e. to manually life the brakes: First, an operating menu isselected in the hand-held programming device 46. Individual keys aredefined or released, with which the individual braking devices 394, 396can be lifted. After that, the service module 366 is set on the safeinputs 368, 370 of the safety controller for setting the service mode,e.g. via a key-operated switch. In this constellation, the safetycontroller 38 releases the braking power via the switching contacts 376,378. The brakes 394, 396, however, are not lifted yet. In a next step,the drive control 50 can lift the braking devices 394, 396 of theappropriate axes within the drive units 24 through 30 by engaging theinternal brake switch 382, 394. The robot itself is without power inthis operating mode. It can only be moved manually or through gravity. Areturn to normal operation is only possible by resetting the “SERVICEMODE.”

In order to eliminate production malfunctions, an operating mode “groupcontrol” is provided for. If, for example, the welding robot 12 becomesstuck in an area of the work piece that is difficult to access after apower supply malfunction with a burnt welding wire, the drive units 24through 30 turn off due to the malfunction. The moving of the robot axesduring the setting operation would mean the increased risk of collisionwith an untrained operator. It is much easier and simpler e.g. on axeswithout or with little gravity load such as head axes to lift thebraking devices 394, 396 with a command via the hand-held programmingdevice and to move the axes manually into a clear position. Axes with agravity load of about 6 kg can be lifted in this operating mode.

The following operation is provided for this special operating mode: Ina first step, the group is stored in a safety-relevant area of machinedata. In a second step, an operating menu is selected in the hand-heldprogramming device, with a key being defined or released with which thegroup of braking devices can be lifted in “TILT OPERATION.” In a thirdstep, the safety controller 38 releases the brake line via the switchingcontacts 376, 378 so that in a fourth step the braking devices of anaxis can be lifted by engaging the internal brake switch 382, 384.

The robot is without power also in this operating mode. The axes withlifted brakes can only be moved manually. Axes at risk or subject togravity are not included in this group definition. The axes that are notreleased are monitored for standstills during this operating mode.Unintentional engaging e.g. due to a defect of the single-channel brakeswitch 382, 384 of a drive unit 24-30, which can also be described as aservo amplifier, would lift also the brake of an axis under gravityload, and the axis would be able to move. In this case, the safetycontroller 38 turns of the brake line off. Selection of the desiredoperating mode “MOVING” with the hand-held programming device ensures areturn to normal operation. The drive mechanisms must be turned on forcontrolled robot movements.

There is also the possibility of lifting a group of braking devicesexternally via an external power supply 400 and the emergency switch398. External lifting of braking devices is reserved only for emergencysituations. In this case, the robot control 36 or the safety controller38 can be turned off, but external auxiliary power is available. Whenactuating the easily accessible switch 398 (in tilt operation), thebraking devices 394 are lifted on all axes that are not subject togravity load. In this condition, robot mechanisms can be moved manually,e.g. to release a trapped person. Selection of the permissible axes isdone with internal switch cabinet wiring, with only the brakes beingconnected to the external auxiliary energy source 400.

In accordance with the invention, there is also the possibility ofchecking the braking effect of the braking devices 394, 396. This braketest is performed when the drive mechanisms are turned on. First a mainswitch is turned on, and the robot control 36 as well as the safetycontroller 38 are started up. Then the drive mechanisms are turned on,and the braking devices 394, 396 are lifted. After that, a brakingcurrent CB is measured on the axes, with the robot axes having differentloads and random positions in the space. Furthermore, the brakingdevices 394, 396 are actuated by switching the internal brake switches382, 384, and an axis-specific current value C_(TEST)=C_(B)±C_(OFFSET)is released to the final step, with C_(OFFSET)x•C_(NOM) and x in therange of 0.6≦×≦1.0, preferably x=0.8, and with C_(NOM) being the currentthat corresponds to the nominal moment M_(NOM) of the braking device.Additionally, all axes are checked for standstills. If required, thesafety controller 38 can check the system for safe stops. Then theoffset increase is taken back from the target current value, the brakingdevices are lifted and the system returns to normal operation.

The nominal torques or moments M_(NOM) of the braking devices vary withthe size of the motor so that this information should be stored in themachine data for calculating the current offset value, particularly thevalue C_(NOM).

The electronics of the drive control 50, also called servo amplifier, issupplied from different power sources in accordance with the operatingstatus. First, each drive control 50 is equipped with a dc-dc converter,with which the entire electronics of the motor control 50 is suppliedwith power parts and active PWM through a main switch that is in the“ON” operating mode and turned-on drive mechanisms. An external dc-dcconverter that is directly connected to the network supplies the entireelectronics of the motor control without power parts in the “ON”operating mode, but with turned-off drive mechanisms. Furthermore, onlythe resolver evaluation electronics is supplied by the external dc-dcconverter when the main switch is turned off. During a power failure, itis also only the resolver evaluation logic system that is supplied viaan accumulator and an external dc-dc converter.

Power failures can occur in various operating modes. In these cases, thesystem moves continuously to the operating mode with the lowest energydemand. In a flow chart 402 in accordance with FIG. 22, an emergencystop routine is shown. In a first program step 404 an evaluation isperformed as to whether a power failure was recognized by the ACFAILsignal or a disconnection of the robot control 36 or the safetycontroller. If the power failure or disconnection of the robot controlwas recognized, program step 406, 406′ starts an emergency stop routineboth in the circuit 52 and in the circuit 54 with the micro-computers102, 120. In the circuit 52, modules that are no longer required, suchas CAN interface 56, LED displays and other modules, can be turned offsince the robot control 36 and the safety controller 38 will no longersupplied shortly thereafter. A power failure is recognized with theACFAIL signal of the external dc-dc converter of the motor controlsystem, and disconnection of the control is recognized when the targetvalues are not received by the bus CAN_A. In another program step 410,410′, an examination is performed whether the axis has stopped. If theaxis has not stopped, the axis is first set to a standstill in programstep 412, 412′. During the delay period, the generator energy of themotors is consumed. The standard channels of the status control systemare used. The programmed path is no longer followed because the robotcontrol no longer works. Stopping of the axis can last 1 to 1.5 s inaccordance with robot kinematics.

When a standstill has been reached, further program steps are performedredundantly in the circuits 50, 52. In a next program step 414, 114′,the braking device is activated in both circuits, and in program step416, 416′ it is checked after a waiting period whether the brakescollapsed. This occurs through a comparison of several actual statusvalues, which must not change, in the program step 418, 418′. Afterthat, the actual status value is stored in the appropriate system flag111, 123 with program step 420, 420′, consisting of counted revolutionsand the resolver value. After successfully writing the actual statusvalue into the flag 111, 123, the axes are marked synchronously. Thismeans a synchronous flag is set. The emergency stop routine ends withprogram step 422, 422′. Normally, the dc-dc converter of the power partis active up to here because capacitors of the indirect circuit areloaded up to the standstill. After unloading the indirect circuit, theexternal dc-dc converter with accumulator buffer takes over the energysupply role by triggering program step 424, 424′.

The behavior of the drive control 50 during accumulator operation can beseen in a flow chart 426 in accordance with FIG. 23. During powerfailures, power is supplied via an accumulator, with only the resolverevaluation electronics being supplied. In order to expand the buffertime, users that are no longer required such as SRAM 106 of themicro-computer 102, micro-computer 122 and the divider 118, DP RAM 130,RP RAM 116 are turned off.

The remaining active hardware is shown in FIG. 24. In program step 428,428′, the motor control “power down routine” is started in the circuits52, 54. With program step 430, 430′, all users that are no longerrequired are turned off, as already mentioned above. The redundantmicro-computers 102 and 120 only work in the system flash 111, 123 andin the internal SRAM 106, 122. The reference voltage is only activatedin the measurement interval in order to minimize consumption.

In program step 432, in circuit 52, i.e. in the micro-computer 102, atime sequence for the cyclical resolver evaluation is specified. Inprogram step 434, the timer time is checked. Every 200 ms a signal“start resolver” is generated in program step 436, via which a resolverevaluation cycle is requested in circuit 54. With program step 438 inthe circuit 54, the cyclical request of the circuit 52 is monitored. Ifthe program step 438 detects no signal “start resolver” within 200 ms, afailure is recognized in circuit 52 and an error message is generated inprogram step 440. The axis is marked asynchronous by the circuit 54,i.e. the synchronous flag is set back and it waits for communicationwith the safety controller 38.

In the case of correct cyclical requests, the circuit 54 starts itsreference frequency generator in the program step 442 and sets its SOCsignal (start of conversion) for the analog-to-digital converters in thecircuits 52, 54. In program step 444, the circuit 52 waits for the SOCsignal. Upon successful conversion, the SOC signal must be recognized inprogram step 446 in the circuit 52, which monitors the function of thecircuit 54 with identical error reaction. In program step 448, ananalog-to-digital conversion of the sine/cosine signals is started incircuit 54. Afterwards, the actual status values are calculated inprogram step 450, 450′. The actual status value is compared with theactual status value of the last cycle in program step 452, 452′. Bothactual status values must be in agreement, i.e. the axis must not move.If the actual status values are not identical, an error message isgenerated in program step 454. If an error is recognized in a circuit52, 54, cyclical processing is stopped. This forces the redundantpartner also into the error status. If no error is detected, bothmicro-computers 102, 120 store the established actual status value inthe respective processor-internal SRMA 106, 122 in a program step 456,456′. If no error should have occurred by that time, the axis is markedas synchronous by setting a sync flag in program step 458, 458′. Afterthat, it is checked with program step 460, 460′ whether the system mustremain in the power down mode. If so, the process proceeds with programstep 434 or 438. If not, it returns to the standard mode in accordancewith program step 462, 462′.

As soon as network power returns, no hardware reset is run in the caseof an active accumulator buffer system. The actual status value storedin both circuits 52, 54 in the processor-internal SRAM 106, 122 and thestatus information is transferred by both circuits to the safetycontroller 38 in accordance with program step 462, 462′ after returningto standard mode. If no error occurred on either side and if both actualstatus values are identical, the axis is set synchronous with theabsolute value of the safety controller and released for automaticoperation. If no accumulator buffer system is active or if the bufferpower breaks down, e.g. when the accumulator is discharged, the actualstatus values stored in the flash are retrieved and compared to eachother after restarting the system. It is not until the synchronousposition has been started up successfully that the axis is setsynchronous by the safety controller with absolute values.

FIG. 24 depicts a basic logic diagram 464, which shows the activehardware in power down mode. In the power down mode, only the resolverevaluation electronics is active. It consists of the resolver, theanalog-to-digital converters 114, 136, the reference value transmitter138 and the micro-computer 102, 122 with assigned flash 111, 123. Whenthe main switch is turned off, an external dc-dc converter 466 isconnected directly to the network power supply without it being able tobe switched via the main switch of the robot control. The dc-dcconverter 466 is connected to an accumulator 468, which supplies theresolver evaluation electronics with voltage in case of a power failure.The dc-dc converter 466 is monitored via an integrated ACFAIL monitoringdevice 470. In case of a power failure, an IR-ACFAIL signal isgenerated, which is fed to the micro-computer 102 and the controlelement 138. For the process after that, please refer to the flow chartin FIG. 22.

In case of a drop in power, a hardware reset is triggered in eachcircuit 52, 54 by a separate supervisor IC (not shown). After that, bothcircuits 52, 54 are rebooted and initialized, with the stored statusinformation in the internal SRMA 106, 122 being deleted. The actualstatus values stored in the respective system flash 111, 123 and thesynchronous flag are transmitted to the safety controller 38 via therespective CAN_B bus. In the safety controller 38 a decision is madewhether the actual status values of both circuits 52, 54 are inagreement and whether the synchronous flag is set in both circuits.After that, the axes are moved into the synchronous position by therobot control 36, and the safety controller 38 sets a release forautomatic operation when the sync pos input becomes known for correctactual axis values.

If the actual status values of the two circuits 52, 54 differ from eachother or if the synchronous flag has not been set, the axes areasynchronous and must be synchronized by an operator. To accomplishthis, the axes are also moved into the synchronous position by the robotcontrol, and then the safety controller 38 sets the release forautomatic operation when the sync pos input becomes known for correctactual axis values.

In the case of the accumulator buffer system, no hardware reset isconducted when power returns. The stored status information(synchronous/asynchronous) and the actual status value in the respectiveinternal SRAMs 106, 122 are transmitted by both circuits to the safetycontroller 38. The safety controller compares whether the actual statusvalues of both circuits 52, 54 are in agreement and whether asynchronous flag was set in both circuits. If this is the case, thesafety controller 38 sets a release for automatic operation, but thesynchronous position does not have to be assumed. If the actual statusvalues of the two circuits differ or if the synchronous flag was notset, the axes are asynchronous and must be synchronized by an operator.To accomplish this, the axes are moved into the synchronous position bythe robot control 36. After that, the safety controller 38 sets itsrelease for automatic operation when the sync pos input has beenrecognized for correct actual axis values.

What is claimed is:
 1. Monitoring and control device (38) for monitoringa technical system (10) with enhanced safety requirements that comprisesat least one portable and/or mobile and/or immobile device a handlingdevice arranged in a protective device, with at least one preferablycentral and/or decentralized control unit (36) as well as actuators(24-30; K1, K2) connected to the control unit for executing dangerousoperations, whereby the monitoring and control device (38) is connectedto sensors (20, 22) and/or actuators (24-30) and evaluated, processesand controls their status, the control unit (36) is connected to sensors(20, 22) and/or at least one of the actuators (24-30) and the monitoringand control device (38) via at least one data circuit, that themonitoring and control device (38) transmits at least one release signalto the control unit (36) in accordance with the status of the sensors(20, 22) and/or actuators (24-30) in order to enable at least oneoperation in the technical system (10), that the release signal triggersan operation, which is monitored by the monitoring and control device(38) by comparing the release signal with stored and/or specifiedexecution and/or function and/or plausibility specifications orprocesses of movements, and that in case of an error at least one othersignal is generated, which transfers the system into a safe conditioncharacterized in that microcontrollers (58, 60, 102, 120) are connectedto each other via a connection (88) for mutual data exchange purposesthat the actual status values transmitted by the drive controls (50) aredeclared with an identifier and that upon receipt of these identifiersan interrupt is triggered in each microcontroller (58, 60, 102, 120) ofthe monitoring and control device, and that the monitoring and controldevice is equipped with a time expectancy device for safety-related dataand that each actual status value and/or value range is assigned atleast one safety-related output and/or input (92, 94) of the monitoringand control device (38), with the outputs and/or inputs being connectedto passive and/or active switching elements (96, 98).
 2. Monitoring andcontrol device in accordance with claim 1, characterized by the factthat the actuator (24 30; K1, K2) and/or the sensor (20, 22) has thedesign of a safety device (14) that transfers the technical system (10)into a safe status.
 3. Monitoring and control device in accordance withclaim 1, characterized by the fact that the actuator (24-30) includes inparticular a drive unit (24-30) with appropriate drive control (50), acontactor (K1, K2), a relay or a valve.
 4. Monitoring and control devicein accordance claim 1, characterized by the fact that the operationcomprises a process of movements.
 5. Monitoring and control device inaccordance with claim 1, characterized by the fact that the data circuitcomprises a serial bus line (CAN_A).
 6. Monitoring and control device inaccordance with claim 5, characterized by the fact that the monitoringand control device (38) is equipped with two channels, each with atleast one microcontroller (58, 60, 102, 120), with each microcontroller(58, 60, 102, 120) being connected to the bus line (CAN_A, CAN_B) via abus controller (62, 64).
 7. Monitoring and control device in accordancewith claim 1, characterized by the fact that the control unit (36) andthe monitoring and control device (38) are physically separate devices.8. Monitoring and control device in accordance with claim 1,characterized by the fact that a target status value signal istransmitted continuously or once to at least one connected drive control(50) and/or to the monitoring and control device and that from the atleast one drive control (50) actual status value signals are transmittedat least to the control unit (36), to both the control unit (36) and themonitoring and control device (38), that the actual status value signalsof every drive control (50) are compared to drive-specific values and/orvalue ranges that have been stored in the monitoring and control device(38) and been transferred by the control unit (36), and that upondeviation from the respective value and/or value range the other signalis generate.
 9. Monitoring and control device in accordance with claim8, characterized by the fact that the actual status values of individualdrive units (24-30) are calculated in the monitoring and control device(38) and/or the control unit (36) through kinematic-specifictransformation to a handling device specific point (304) and thatCartesian value ranges are stored in a table for n-dimensional movement,wherein n=3, with every actual status value range being assigned atleast one output of the monitoring and control device (38). 10.Monitoring and control device in accordance with claim 9, characterizedby the fact that the n-dimensional, wherein n=2 or n=3, value rangesstored in the tables are compared with received and transformed actualstatus values during every cycle.
 11. Monitoring and control device inaccordance with claim 8, characterized by the fact that the actualstatus values of all drive units (24-30) are determined and arecalculated to a handling device specific point (304) throughkinematic-specific transformation and that a Cartesian speed of thepoint (304) is calculated from at least two transformed position valuesthrough differentiation and compared to a specified maximum speed. 12.Monitoring and control device in accordance with claim 11, characterizedby the fact that monitoring of the speed occurs in a cyclical manner.13. Monitoring and control device in accordance with claim 12,characterized by the fact that upon triggering the other signal aCartesian starting speed V_(Start) of a point (304) is determined andstored, that after a time period ΔT a current speed V_(curr) isdetermined and compared to a starting speed V_(Start), with the systembeing transferred immediately into a safe status when the current speedV_(curr) is equal to or larger than the starting speed V_(Start) afterthe time period ΔT.
 14. Monitoring and control device in accordance withclaim 1, characterized by the fact that the monitoring and controldevice (38) is equipped with a two-channel output and input level (66)with crosswise data comparison for evaluating electromechanical safetyswitches (366) and for addressing external switching devices (376, 378)and/or that at least one additional bus connection (72) is provided inorder to integrate the monitoring and control device (38) into ahigher-ranking safety bus.
 15. Monitoring and control device inaccordance with claim 1, characterized by the fact that the control unit(36) transmits target status value information driving to definedpositions to the at least one of the actuators (24-30) and to themonitoring and control device (30), with the defined positions beingassigned drive-specific values that are transmitted to the monitoringand control device and compared to measured actual status values of theactuators (24-30) and monitored.
 16. Monitoring and control device inaccordance claim 1, characterized by the fact that with regard to adrive unit (24-30) or drive axis a variety of value ranges is defined,which are monitored by the monitoring and control device (38) in adrive-specific manner, with each actual status value and/or value rangebeing assigned one or more outputs of the monitoring and control device(38).
 17. Monitoring and control device in accordance with claim 16,characterized by the fact that the actual status values and/or valueranges can be programmed in a drive-specific manner.